beckmarkwith - Fotolia
Cisco vulnerability fix for thrangrycat carries risks
The Cisco vulnerability fix for thrangrycat could make affected hardware unusable. But the vendor said its ready to replace products, if needed.
Depending on contract terms, Cisco is prepared to cover the replacement costs if its fix for the thrangrycat vulnerability in 150 varieties of switches and routers leaves the hardware unusable.
The flaw, reported last week by security firm Red Balloon Security, could let a hacker mount an attack remotely and commandeer the affected hardware, which also includes some firewalls and communication devices.
Fixing the hardware requires much more than a software update. Instead, someone has to physically reprogram a semiconductor component called the Field Programmable Gate Array (FPGA). Because of the sensitivity of the FPGA, there is a risk of doing irreparable harm when patching the Cisco vulnerability.
"A failure during this reprogramming process may cause the device to become unusable and require a hardware replacement," Cisco said in a security advisory update released this week.
Cisco said in an emailed statement that it was prepared to cover the costs of replacing hardware.
"If an affected product becomes unusable and requires a hardware replacement, it will be replaced according to the terms of the customer's support contract or warranty," the company said. "Support contracts are purchased either from Cisco or a Cisco authorized reseller, and Cisco honors the terms of those contracts in regards to replacement costs, if any."
A hacker trying to exploit thrangrycat would have to launch a two-prong attack. The first would have to gain root access to the system through a vulnerability in Cisco's IOS network operating system. Such flaws are not unusual. In May, Cisco patched a critical root access bug in the Nexus 9000 Series switch.
Once attaining root access, the hacker could then access the FPGA, which is a core component in a security feature Cisco calls the Trust Anchor.
The purpose of the Trust Anchor is to authenticate software before allowing it to boot in the system. Red Balloon found it could get around Trust Anchor by manipulating the FPGA -- a task the security company acknowledges would require a high level of expertise.
"It took us a long time to understand how this FPGA modification works," said Jatin Kataria, principal scientist at Red Balloon.
Nevertheless, large enterprises, utilities and government use the Cisco routers and switches, so it's possible a nation-state or other organization would employ sophisticated hackers to exploit the Cisco vulnerability and compromise the hardware to steal data from network traffic.